From 049ff5b8ce023dbb84059d41808e33605dc78e5e Mon Sep 17 00:00:00 2001
From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Tue, 19 May 2015 01:45:48 -0400
Subject: [PATCH] Verify local senders, block senders using spamhaus, enforce
 SPF

Local sender verification is warn only for the time being since many
web apps are currently sending messages from invalid
addresses (e.g. moin uses noreply@$domain).
---
 conf.d/acl/30_exim4-config_check_rcpt      | 12 ++++++++----
 conf.d/main/01_exim4-config_listmacrosdefs |  6 ++++++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/conf.d/acl/30_exim4-config_check_rcpt b/conf.d/acl/30_exim4-config_check_rcpt
index b5050d5..9f8a189 100644
--- a/conf.d/acl/30_exim4-config_check_rcpt
+++ b/conf.d/acl/30_exim4-config_check_rcpt
@@ -118,9 +118,12 @@ acl_check_rcpt:
   # 39.31 with the added information that a smarthost/satellite setup
   # routes all non-local e-mail to the smarthost.
   .ifdef CHECK_RCPT_VERIFY_SENDER
-  deny
-    message = Sender verification failed
-    !acl = acl_whitelist_local_deny
+  # hcoop-change: warn so that we can track down webapps sending
+  # without a valid return user, but not break the many web apps that
+  # do so. Fix.
+  warn
+    log_message = Sender verification failed
+    !acl = acl_local_deny_exceptions
     !verify = sender
   .endif
 
@@ -318,7 +321,8 @@ acl_check_rcpt:
   # Check against classic DNS "black" lists (DNSBLs) which list
   # sender IP addresses
   .ifdef CHECK_RCPT_IP_DNSBLS
-  warn
+  # hcoop-change: drop connection instead of warning
+  drop
     message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
     log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
     dnslists = CHECK_RCPT_IP_DNSBLS
diff --git a/conf.d/main/01_exim4-config_listmacrosdefs b/conf.d/main/01_exim4-config_listmacrosdefs
index 4e10add..c02cd3b 100644
--- a/conf.d/main/01_exim4-config_listmacrosdefs
+++ b/conf.d/main/01_exim4-config_listmacrosdefs
@@ -116,3 +116,9 @@ MAILDIR_HOME_MAILDIR_LOCATION = /afs/hcoop.net/common/email
 
 # hcoop-change: enable TLS
 MAIN_TLS_ENABLE = yes
+
+# hcoop-change: enabled sender verification
+CHECK_RCPT_VERIFY_SENDER = true
+CHECK_RCPT_IP_DNSBLS = zen.spamhaus.org
+CHECK_RCPT_REVERSE_DNS = true
+CHECK_RCPT_SPF = true
-- 
2.20.1